Ensure that the default Ingress certificate has been replaced

An XCCDF Rule

Description

Check that the default Ingress certificate has been replaced.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default API endpoint to the local /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default file.

Rationale

OpenShift auto-generates several PKIs to serve TLS on different endpoints of the system. It is possible and necessary to configure a custom PKI which allows external clients to trust the endpoints. The Ingress Operator is the component responsible for enabling external access to OpenShift Container Platform cluster services. The aforementioned operator creates an internal CA and issues a wildcard certificate that is valid for applications under the .apps sub-domain. Both the web console and CLI use this certificate as well. The certificate and key would need to be replaced since a certificate coming from a trusted provider is needed. https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html

ID: xccdf_org.ssgproject.content_rule_ingress_controller_certificate
Severity: Medium
References: SC-12
Updated: about 1 year ago